Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

MS Print servers

vrivoire_97090
Nimbostratus
Nimbostratus
Hi all,

 

 

I am planning to use my new F5 LTM to load balance Windows Server 2003 print servers. For the moment, it doesn't work for me: I can see the shared printer but I can't map it.

 

 

Has anayone already "played" with LTM & MS print servers ?

 

 

Thanks,

 

 

Vincent

 

1 ACCEPTED SOLUTION

Christopher_Boo
Cirrostratus
Cirrostratus

Here's the new link to the guide for creating the WMI monitor. As I recall it was pretty straightforward. I'm even using the same interval and timeout. Looking at my monitor properties, the only thing I see that is different is my alias service port is 3389 and the external program path is /usr/bin/monitors. Also, you'll need to enable remote WMI requests on the win2k8 boxes if not already enabled.

 

Monitoring WMI Services from Big-IP

 

View solution in original post

42 REPLIES 42

Christopher_Boo
Cirrostratus
Cirrostratus
Did you ever get this to work?

vrivoire_97090
Nimbostratus
Nimbostratus
No. Have you got a solution ?

Christopher_Boo
Cirrostratus
Cirrostratus
No. I'm trying to get it working with Win2K print servers. Seeing the same issues as you. I'll post in this thread if I make any progress.

 

 

Thanks,

 

Chris

Christopher_Boo
Cirrostratus
Cirrostratus
Here is a link to another thread on this forum where a user got this working. I'll play with it more tomorrow.

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=30480&view=topic

 

Christopher_Boo
Cirrostratus
Cirrostratus
Got it working!

JMcDonald-CBBIT
Nimbostratus
Nimbostratus
Could you provide some details?

Christopher_Boo
Cirrostratus
Cirrostratus
Here are my rough notes for a W2K print server environment....Configuring Windows Printing using Big-IP

 

 

Special Hardware Requirements

 

 

Separate physical disk for spooler and swap file

 

 

Ethernet Gb

 

 

 

Special OS Requirements

 

 

Big-IP

 

 

Performance Layer 4 Virtual Server with Npath Routing

 

 

TCP only

 

 

No SNAT, address translation, or port translation

 

 

FastL4 Print Protocol proile (Loose Close Enabled, TCP Close Timeout 51 seconds)

 

 

Default Persistence Profile is Source Address

 

 

Health Monitor (TCP port 515 only, Interval 10 seconds, Timeout 31 seconds)

 

 

 

Wintel Servers

 

 

Must Configure a Loopback Adapter with IP of virtual server on all nodes

 

 

Loopback adapter metric set to 2

 

 

Registry Edits -

 

 

Disable Strict Name Checking

 

 

Locate and click the following key in the registry:

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

 

On the Edit menu, click Add Value, and then add the following registry value:

 

Value name: DisableStrictNameChecking

 

Data type: REG_DWORD

 

Radix: Decimal

 

Value: 1

 

 

Disable Loopback Check

 

 

1. Click Start, click Run, type regedit, and then click OK.

 

2. In Registry Editor, locate and then click the following registry key:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

 

3. Right-click Lsa, point to New, and then click DWORD Value.

 

4. Type DisableLoopbackCheck, and then press ENTER.

 

5. Right-click DisableLoopbackCheck, and then click Modify.

 

6. In the Value data box, type 1, and then click OK.

 

7. Quit Registry Editor, and then restart your computer.

 

 

Configure Optional Names (the DNS Name of the Virtual Server)

 

 

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters,

 

then create the OptionalNames value, you can enter a list of names.

 

Restart the computer, and the server will then respond to any of the names you listed.

meena_60183
Nimbostratus
Nimbostratus
Can someone tell me how to set the loopback adapter metric to 2?

 

 

My server guys tell me that there is no such option.

 

 

Meena

meena_60183
Nimbostratus
Nimbostratus
Never mind! I just found it.

reddy_51986
Nimbostratus
Nimbostratus
HI,

 

 

 

Could any one can help, i am planing to implement Win2k8 print services with Big-IP LTM,

 

 

could you kindly share the implementation steps or guide.

 

Stefan_Klotz
Cumulonimbus
Cumulonimbus
Hi there,

 

I'm also fighting with MS print servers behind the BIG-IPs.

 

Based on the two Threads here in the Forum we configured nPath as described and also configured a loopback on the print servers with the VS IP-address. Also the two mentioned Registry tweaks were implemented.

 

But we still only get the listing working, nothing more. With setting the Metric for the loopback to 2 nothing was working, also ping monitoring from the LB to the print server was red then. That's why we removed it again.

 

Basically I'm also wondering why nPath routing is necessary at all. Normally nPath routing will only be used if you have a huge amount of outgoing server traffic, which should not go through the BIG-IP (to save resources and internal throughput). From a technical point of view nPath or having SNAT enabled should be the same, only difference with SNAT you have one additional hop for the response.

 

So can someone explain, why nPath is technical required for MS print servers? And does anyone has an additional idea, why it's not working for me? Btw. the result, that only listing is working is the same using nPath or SNAT.

 

Thank you!

 

 

Ciao Stefan 🙂

 

Christopher_Boo
Cirrostratus
Cirrostratus
Stefan,

 

 

Post your config and I'll compare to my working setup. Do you have the service port set to 0? My configuration is based off a lot of trial and error and a little less understanding. It does work though. I've been serving ~700 queues for a little over 2 years with multiple gigabytes of traffic going through the VIP every day.

 

 

Chris

Stefan_Klotz
Cumulonimbus
Cumulonimbus
Hi Chris,

as I'm only responsible for the Loadbalancer I can only provide this config (I hope the server guy has done his job correctly as well, he mentioned that he want's to test some additional things these days, but didn't get any feedback yet):

virtual mltprtp01 {
   destination 10.10.10.10:any
   translate address disable
   profile fastL4_print_profile
   pool printer_cluster_mltprtp01
   vlans Productie enable
}
pool printer_cluster_mltprtp01 {
   action on svcdown reselect
   monitor all check_mltprtp01_tcp_445
   member 10.10.10.20:any
   member 10.10.10.21:any
        
}
monitor check_mltprtp01_tcp_445 {
   defaults from tcp
   dest *:microsoft-ds
}
profile fastL4 fastL4_print_profile {
   defaults from fastL4
   tcp close timeout 51
   loose close enable
}
As you can see the VIP is in the same subnet as the printservers, but I hope this is not a problem.

Thank you for any additional ideas or information.

Ciao Stefan üôÇ

Christopher_Boo
Cirrostratus
Cirrostratus
VIP in the same subnet shouldn't be an issue. Your config looks fine to me. I can remember having the same issue you are dealing with. I just can't remember the change that fixed it. If you can't see the windows config though, I'd just about guarantee that is where your problem is.

 

 

Chris

meena_60183
Nimbostratus
Nimbostratus
The way I remembered why npath routing is needed is because the packet capture showed that the F5 will NAT the IP address in the tcp header but not on the tcp data. TCP data still showed the virtual server address. So, when the request is sent to the print server with the virtual server address, the print server rejects it.

 

 

When you configure a loopback address on the print server which is the same as the virtual server address, the print server will accept the request because it knows that as a loopback address.

 

 

 

We had frequent issues with that design where the server group had to restart the services or the server but now it seems to be ok. Most of the problems were related to the config on the server side.

 

 

 

Meena

 

 

 

 

 

 

 

Stefan_Klotz
Cumulonimbus
Cumulonimbus
In the meanwhile I got feedback from the server guy and he got it working now.

 

He enabled "Client for MS networks" and "File and Printer Sharing" on the loopback adapter and printers can now be mapped.

 

This is maybe interesting for someone else.

 

Btw. he mentioned that the two Registry tweaks were only implemented on one print server and the other one is working fine as well. But maybe this depends on the OS of the print server. I don't know which version they are running.

 

Thx all for the great support here.

 

 

Ciao Stefan 🙂

 

meena_60183
Nimbostratus
Nimbostratus
No SNAT needed! The original client IP is preserved and the return traffic from the print server goes directly to the client. F5 just does the transparent load balancing.

Stefan_Klotz
Cumulonimbus
Cumulonimbus
Hi Meena,

my question was not if SNAT is technical required, but if it's also working with SNAT enabled.

As I mentioned in my previous post, MS printing service has nothing to do with nPath routing. Based on the findings with the destinationIP in the TCP header and data part, the only requirement is the loopback adapter on the print servers.

I tested this with my server guy and I can confirm now, that it is still working with basic and default Loadbalancer settings, following is our current setup:

virtual mltprtp01 {
   destination 10.10.10.10:any
   snat automap
   translate service enable
   persist source_addr
   pool printer_cluster_mltprtp01
   vlans Productie enable
}
I also get confirmed from the server guy, that he is not using the two mentioned Registry tweaks. The print servers are running on w2k3.

Maybe this is helpful and interesting for someone else as well.

Ciao Stefan üôÇ

Christopher_Boo
Cirrostratus
Cirrostratus
Stefan, that's good to know. What Big-IP version are you running? I never thought to test using a standard config after upgrading. I think I was on 9.4 for the original setup. Since you got it working with a standard config, are you going to test tcp optimized profiles and one connect?

 

 

Chris

Stefan_Klotz
Cumulonimbus
Cumulonimbus
Hi Chris,

 

the affected cluster is running on 9.3.1

 

Further tests and optimizations are not planned, but with the default fastL4 profile TCP optimization is already at its best.

 

 

Ciao Stefan 🙂

 

Stefan_Klotz
Cumulonimbus
Cumulonimbus
Hi again,

 

I have to make a little correction on my second last post. Today we realized again problems and it wasn't working anymore (not sure why this happens today).

 

But we found the critical option on the LB, it's the Address Translation, which is enabled by default. It needs to be disabled for the MS printing service. All other settings can stay on its default values, no TCP- or fastL4 profile modifications and also SNAT can be used.

 

Based on the findings from Meena, that the IP-address in the TCP-data part will be used I thought it shouldn't matter if this option is enabled or not (so I choose the default setting).

 

To summarize my findings:

 

- we are using 9.3.1 and w2k3

 

- print server with loopback adapter (same IP as the VS)

 

- enable "Client for MS networks" and "File and Printer Sharing" on the loopback adapter

 

- the two Registry tweaks are NOT implemented

 

- VS and poolmembers with the "any"-port option

 

- disable Address Translation on the VS

 

- all other settings on the LB can stay at its default value or can match you individual preferences

 

- if the Default Gateway of the print server is not pointing to the LB, I prefer to enable SNAT to have a clear traffic flow and no asynchronous routing (makes things complicated especially during troubleshooting), but it will also work with SNAT disabled (doesn't matter from a technical point of view)

 

 

Ciao Stefan 🙂

 

Christopher_Boo
Cirrostratus
Cirrostratus
I'm in the process of building a new 2008 print server environment and wanted a better health monitor for print services. Following the instructions in the article below, you can create a health monitor for anything that can be queried via WMI (windows service state, cpu, memory, etc.). The title is kind of misleading as the benefits go much further than just terminal services monitoring, but the info is huge for me. Figured it was worth pointing out....

 

 

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086419/Monitoring-Windows-Terminal-Services-from-BIG-IP.aspx

 

Ryan_110872
Nimbostratus
Nimbostratus
Stuck at the moment. I can map the printer fine if I connect through the VIP (eg. \\192.168.0.10 and double-click on the printer). But if I map the FQDN (eg. \\virtualserver.mydomain.com and double click on the printer) I get the error "Operation could not be completed (error 0x00000709). Double check the printer name and make sure that the printer is connected to the network."

 

 

This is Win2K8. Registry settings DisableLoopbackCheck, DisableStrictNameChecking, and OptionalNames are set. F5 Service Ports 0 (All services) are set on the Virtual Server and Pool config. Not sure what to do at this point, would appreciate any help! I have access to the F5 and the servers.

 

 

Christopher_Boo
Cirrostratus
Cirrostratus

Ryan,

 

The only thing I recall tripping me up with 2008 was having to enable weak host send/receive. See here...

 

http://technet.microsoft.com/en-us/...leguy.aspx

 

Let me know if this doesn't fix your problem. I'll take a closer look at my config.

 

 

Chris

 

Christopher_Boo
Cirrostratus
Cirrostratus

Also have a look at this. I don't have DNSOnWire enabled on any of my print servers, but every environment is different. Perhaps this is the fix for you.

 

http://forums.citrix.com/thread.jsp...tstart=165

 

Chris

 

Skye_85590
Nimbostratus
Nimbostratus
IMPORTANT: This thread has confused quite a few people - npath is not necessarily required to get MS file and printer sharing to work. It is entirely possible to set up a simple network topology, not Npath, and use a SNAT (automap etc).

 

 

The following config worked once the Microsoft server requirements were satisfied:

 

 

- Standard virtual using SNAT automap, mapped for all ports, no port translation, to a pool with members mapped on all ports. You can use a custom tcp monitor with an aliased port (click "Advanced" in the monitor config) to monitor the all ports pool.

 

 

MS server configuration requirements (was Windows Server 2003 in this case - would appreciate feedback in this thread regarding requirements identified on other Windows versions):

 

 

- Disable Strict Name Checking

 

- Configure Optional Names (the DNS Name of the Virtual Server)

 

 

I suspect kerberos to be involved and I would like to see packet captures before and after the change but do not have time to do a repro.

 

 

If using npath, this will likely be needed: Disable Loopback Check

 

 

Details of the registry settings:

 

 

Locate and click the following key in the registry:

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

 

On the Edit menu, click Add Value, and then add the following registry value:

 

Value name: DisableStrictNameChecking

 

Data type: REG_DWORD

 

Radix: Decimal

 

Value: 1

 

 

Disable Loopback Check

 

 

1. Click Start, click Run, type regedit, and then click OK.

 

2. In Registry Editor, locate and then click the following registry key:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

 

3. Right-click Lsa, point to New, and then click DWORD Value.

 

4. Type DisableLoopbackCheck, and then press ENTER.

 

5. Right-click DisableLoopbackCheck, and then click Modify.

 

6. In the Value data box, type 1, and then click OK.

 

7. Quit Registry Editor, and then restart your computer.

 

 

Configure Optional Names (the DNS Name of the Virtual Server)

 

 

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters,

 

then create the OptionalNames value, you can enter a list of names. (This should be the DNS name setup for the VIP.)

 

Restart the computer, and the server will then respond to any of the names you listed.

Keep in mind when this thread was created about 90% of Devcentral focused on load balancing web servers. There was nothing from F5 and next to nothing on the net regarding hardware load balancing print servers. Based on Meena's thread and what I had found elsewhere, that config worked for me. Considering how many hits this thread gets, I dare say it has helped more than it has confused. You are correct though, npath is not necessarily required. I had more control in the design of our 2008 print environment and don't use npath in it. As with anything, test and see what works best for you.

Brian_Mayer_841
Nimbostratus
Nimbostratus

Hey guys,

 

We've just implemented a print server "load balancing" solution using our LTMs where, instead of distributing print jobs across 2-3 print servers, we used priority groups to ensure traffic always goes to a certain print server if it's online. The other server (pool member) with a lower priority would only get the print jobs if the primary was down.

 

Anyway, I'm using SNAT as the pool members are not on the same VLAN as the LTM. We're also using a simple tcp health monitor on port 515 to determine service health. Everything seems to be working. I didn't have to do a lot of the extra effort I noticed many others went through on the articles I read here on DevCentral.

 

We went with priority groups as the goal was to understand which printer would get any given pick slip out of our ERP print jobs, so we're not running around the warehouse looking for the printer where a job may have been sent. I'm not uber-thrilled with the health monitor, and have seen some WMI-type monitors that might come in useful.

 

I guess I'm wondering why I didn't have to deal with all the trouble many others have had? Are my print servers misconfigured, or do those registry changes only come into play when using nPath routing?

 

Thanks! B

 

Christopher_Boo
Cirrostratus
Cirrostratus

Brian

 

I think some of the confusion is in the objective. Some just need to send a print job to a load balanced print server. Others need end users to be able to map to print queues, download drivers, print, etc. Also every environment is different. I'm sure that is a factor as well. I'd strongly suggest using the WMI monitor. The TCP port check just isn't sufficient, or at least wasn't for us. I posted a link to the how-to a few years ago, but it looks like the site update broke it. I'll try to find it again. Believe it or not, I still have my Win2K print server VIP (NPath) in production as well as the Win2K8 print Server VIP (standard). They are both rock solid. I will say if bandwidth might be an issue, I'd go with Npath. But we haven't had a print server outage in years with either vs. multi-hour outages using Windows Print Clustering previously.

 

Chris

 

Brian_Mayer_841
Nimbostratus
Nimbostratus

Thanks Chris, this is a really helpful clarification. I'll look into WMI, as I vehemently despise TCP monitors for most apps in general. 🙂 Our print server jobs are all local site LAN traffic so bandwidth should not be an issue. Also, our print servers are all running Win2k8. If you can find the WMI link that would be cool, and if you might be able to share any details on how you've configured your WMI monitor to keep tabs on print services, I'd love to see how you've done it!

 

Thanks much, B

 

Christopher_Boo
Cirrostratus
Cirrostratus

Here's the new link to the guide for creating the WMI monitor. As I recall it was pretty straightforward. I'm even using the same interval and timeout. Looking at my monitor properties, the only thing I see that is different is my alias service port is 3389 and the external program path is /usr/bin/monitors. Also, you'll need to enable remote WMI requests on the win2k8 boxes if not already enabled.

 

Monitoring WMI Services from Big-IP

 

Christopher_Boo
Cirrostratus
Cirrostratus

Something interesting I found yesterday while trying to get our Optio app printing to the 2008 print server VS, the print jobs were erroring out with an error code 5. This is indicative of a permissions issue. Per Optio, the fix for 2003 server is to change local security policy to allow everyone permissions to apply to anonymous as the jobs are created by the system account on the Optio server and are treated as anonymous by the remote print server. This fix wasn't working in 2008 and Optio support was at a loss. After a bit of digging I found that you must also edit the "named pipes that can be accessed anonymously" local security policy to include SPOOLSS. After making this change, the jobs started printing successfully.

 

I hope someone may find this info useful as I wasn't finding much myself while trying to figure this out.

 

Chris

 

Christopher_Boo
Cirrostratus
Cirrostratus

Here's another print problem I've been noodling on for the last couple days and just figured out. Anonymous jobs going to zebra print queues (on 2008 R2) would spool, but not print. Anonymous has access to spoolss, so what could be the problem? It turned out to be driver isolation. With driver isolation enabled the drivers run in their own protected process, not the spooler process. I disabled driver isolation for the problematic driver and anonymous jobs started printing. That was an interesting one.

 

Chris,

 

Is there anyway you can send me some screenshots of the settings on your VS ? I see a couple of replies back that Brian Mayer says he just did a standard vs with snat, but id also like to do the same thing with priority groups, even though I'm not sure how to do this so if you or Brian can help me with the priority group settings. also if you provide me with the wmi string you used to monitor the servers it would be much appreciated.

 

Anonymous25
Nimbostratus
Nimbostratus

Hello everyone,

 

I am struggling to get a 2016 MS Print Server to sit behind the F5.

 

I have followed a number of different threads and posts from multiple load balancing sites, but have yet to come to the proper solution. In our environment, we need to be able to map to the individual printers. I am able to get the configuration as far as being able to start mapping a printer \\printserver\printername but when I click next, I just get an error. And if I click browse, there are no printers to select.

 

I have done multiple registry changes, enabled and disabled NetBios, and a bunch of other things. I am hoping that there is someone here who might be able to further assist me with this project.

 

Thanks!

As an additional update, it does not matter if I use the NPath iApp or build a virtual server. If I map to the printer directly through the print server, I have no issues, when trying to map through the F5, either via NPath or virtual server, I get an error on the Print Server using Wireshark stating, OpenprinterEx reponse, invalid printer name. it doesn't matter if I add it through the VIP or DNS name, I always get this issue.

 

Thanks.

Are you able to share some of your VIP config? Once we made the registry changes everything worked nicely for us.

Sure!

Version:

BIG-IP 13.1.0.1 Build 0.0.8 Point Release 1

 

ltm virtual VS_MSPrint {

  destination 10.41.18.252:any

  ip-protocol tcp

  mask 255.255.255.255

  pool Pool_MSPrint

  profiles {

    tcp { }

  }

  source 0.0.0.0/0

  source-address-translation {

    type automap

  }

  translate-address enabled

  translate-port disabled

  vs-index 24

 

 

ltm pool Pool_MSPrint {

  members {

    10.41.18.236:any {

      address 10.41.18.236

    }

 

I know I don't have any monitors setup right now as this is just a proof of concept function with a test server.

 

 

 

As far as registry/server changes, I have tried pretty much all of them in a variety of combinations

*Created Loopback adapter with same IP address as the F5 VIP

*Set the WeakHost settings for Net and Loopback adapters

*Set the Loopback Metric to 254

*Disabled Loopback check

*Disable Strict Name Chacking

*Optional Names

*DnsOnWire

*Disabled NetBios (with DNS entry on VIP)

*Modified the Hosts File with DNS names

 

Happy to make any changes or test things to see if we can get this working.

 

Thanks.

 

If anyone has any input at this time, I would appreciate it. Even as I continue to work on this issue, I am stuck and unable to move forward.

 

Thanks